5627 matches found
JVN#72854072: Aipo vulnerable to cross-site request forgery
Aipo from Aimluck, Inc. is groupware including functions such as scheduler and intra-office blogging. Aipo contains a cross-site request forgery vulnerability. Impact If an administrative user views a malicious page while logged into Aipo, data stored within Aipo may be altered. Solution Update t...
JVN#59779256: Cybozu Garoon vulnerable to cross-site scripting
Cybozu Garoon is a groupware. Cybozu Garoon contains a cross-site scripting vulnerability. Impact An arbitrary script may be executed on the web browser of an user who is logged on. Solution Update the software Update to the latest version according to the information provided by the developer...
JVN#71542734: F-Secure Internet Gatekeeper for Linux authentication issue
F-Secure Internet Gatekeeper for Linux provided by F-Secure Corporation is an anti-virus product. F-Secure Internet Gatekeeper for Linux contains an issue where authentication is not present. Impact A remote attacker may view access logs that are stored by the product. Solution Update the firmwar...
JVN#68536660: Archive Decoder may insecurely load executable files
Archive Decoder is a file extraction software that supports multiple file formats. Archive Decoder loads certain executables .exe when extracting files. Archive Decoder contains an issue with the file search path, which may insecurely load executables. Impact An attacker may execute arbitrary cod...
JVN#58439007: e-Pares vulnerable to cross-site scripting
e-Pares is a system that manages facility conference rooms, etc. information. e-Pares contains a cross-site scripting vulnerability. Impact An arbitrary script may be executed on the user's web browser. Solution Update the Software Update to the latest version according to the information provide...
JVN#90248889: Interstage Application Server vulnerable in request processing
The Servlet service provided by the Interstage Application Server from Fujitsu Limited, contains a vulnerability where certain requests may be handled improperly depending on the settings at the load balancing device. Impact Invalid requests may be processed or user information may be leaked...
JVN#33977065 WebCalenderC3 cross-site scripting vulnerability
WebCalenderC3 from C3 Corp. is a calender software. WebCalenderC3 contains a cross-site scripting vulnerability. According to the developer, they were not able to reproduce the vulnerability. However, to mitigate against potential security risks, the developer has released a security enhanced...
JVN#00152874 P forum vulnerable to directory traversal
P forum from Rocomotion is a bulletin board software. P forum contains a directory traversal vulnerability. Impact A remote attacker could view an arbitrary file on the server. Solution Update the Software Update to the latest version according to the information provided by the developer. This...
JVN#32788272 PHP-I-BOARD from Let's PHP! vulnerable to directory traversal
PHP-I-BOARD from Let's PHP! is a bulletin board software. PHP-I-BOARD contains a directory traversal vulnerability. Impact A remote attacker could view an arbitrary file on the server. Solution Update the Software Update to the latest version according to the information provided by the developer...
JVN#81111541 EC-CUBE vulnerable to SQL injection
EC-CUBE from LOCKON CO.,LTD. is an open source system for creating shopping websites. EC-CUBE contains a SQL injection vulnerability. Impact A remote attacker could obtain the website administrator's privilege which was created using EC-CUBE. Solution Update the Software Apply the latest updates...
JVN#77432756 FreeStyleWiki cross-site scripting vulnerability
FreeStyleWiki, one of Wiki clones, contains a cross-site scripting vulnerability. Impact An arbitrary script could be executed if a FreeStyleWiki user views a specially crafted web page with Internet Explorer. Other web browsers that use the Internet Explorer browser engine may also be affected...
JVN#14072646 BlognPlus SQL injection vulnerability
BlognPlus from R-ONE Computer is software for creating blogs. BlognPlus for MySQL and for PostgreSQL contain a SQL injection vulnerability. According to the vendor, BlognPlus for Text is not affected by this vulnerability since it does not use a database. Impact A remote attacker could obtain...
JVN#31351020 Cross-site scripting vulnerabilities in multiple Bluemoon Inc. XOOPS modules
Mutiple modules provided by Blumoon Inc. for XOOPS 2.0.x / XOOPS Cube 2.1 / ImpressCMS are vulnerable to cross-site scripting. Impact An arbitrary script can be executed on the user's web browser. Solution Update the Software Update the product to the latest version according to the information...
JVN#82610488 Lhaplus buffer overflow vulnerability
Lhaplus, file compression/decompression software supporting multiple compression file formats, contains a buffer overflow vulnerability. If a user decompresses a specially crafted file, an attacker could execute arbitrary code with the privilege of the user. This vulnerability is different from...
JVN#72595280 Flash Player allows to send arbitrary Referer headers
Adobe Flash Player is a multimedia and application browser plugin for viewing Adobe Flash contents. Flash Player contains a vulnerability allowing to send arbitrary Referer headers. Impact As a flash file swf can send an arbitrary Referer header and Flash Player cannot properly validate Referer...
JVN#67974490 Webmin directory traversal vulnerability
Impact A remote attacker could view files on the computer without authentication. Private information could be leaked as a result. Solution Products Affected Webmin 1.280 and earlier Usermin 1.210 and earlier As of June 30, 2006, patched versions of the module addressing this vulnerability for al...
JVN#83263796 SquirrelMail cross-site scripting vulnerability
Impact A malicious script may be executed on the user's web browser. Solution Products Affected SquirrelMail 1.4.0 - 1.4.6 Release Candidate...
JVN#39546799: Mailform Pro CGI generating error messages containing sensitive information
Mailform Pro CGI provided by SYNCK GRAPHICA contains a vulnerability listed below. Generation of error message containing sensitive information CWE-209 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N Base Score 6.3 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N Base Score 3.7...
JVN#86156389: Remarshal unlimitedly expanding YAML alias nodes
Remarshal provided by Remarshal Project expands YAML alias nodes unlimitedly CWE-674, hence Remarshal is vulnerable to Billion Laughs Attack. Impact Processing untrusted YAML files may cause a denial-of-service DoS condition. Solution Update the Software Update to the latest version according to...
JVN#08237727: Citadel WebCit vulnerable to cross-site scripting on Instant Messaging facility
Citadel WebCit provided by Citadel contains a cross-site scripting vulnerability CWE-79. Impact When a malicious user sends an instant message with some JavaScript code, the script may be executed on the web browser of the victim user. Solution Update the software Update the software to the lates...
JVN#17434995: Shihonkanri Plus vulnerable to relative path traversal
Shihonkanri Plus provided by EKAKIN contains a relative path traversal vulnerability CWE-23. Impact An attacker may execute arbitrary code by having a legitimate user import a specially crafted backup file of the product. Solution Update the software Update the software to the latest version...
JVN#90278893: Wacom Tablet Driver installer for macOS vulnerable to improper link resolution before file access
Wacom Tablet Driver installer for macOS provided by Wacom contains an improper link resolution before file access vulnerability CWE-59. Impact When a user is tricked to execute a small malicious script before executing the affected version of the installer, an arbitrary code may be executed with...
JVN#29902403: Installers generated by Squirrel.Windows may insecurely load Dynamic Link Libraries
Squirrel.Windows is both a toolset and a library that provides installation and update functionality for Windows desktop applications. Installers generated by Squirrel.Windows contain an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries CWE-427. Impact...
JVN#75063798: Booked vulnerable to open redirect
Booked provided by Twinkle Toes Software contains an open redirect vulnerability CWE-601. Impact When accessing a specially crafted URL, the user may be redirected to an arbitrary website. As a result, the user may become a victim of a phishing attack. Solution Update the software Update the...
JVN#51464799: L2Blocker Sensor setup screen vulnerable to authentication bypass
L2Blocker provided by SOFTCREATE CORP. contains a vulnerability CWE-288 in which the login authentication is bypassed by using alternative paths or channels for Sensor. Impact An attacker who can access the device may perform an unauthorized login and obtain the stored information or cause a...
JVN#33797604: NFC Port Software remover may insecurely load Dynamic Link Libraries
NFC Port Software remover provided by Sony Corporation is an application to remove NFC Port Software. NFC Port Software remover contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries CWE-427. Impact Arbitrary code may be executed with the privilege...
JVN#73550134: WordPress plugin "Event Calendar WD" vulnerable to cross-site scripting
The WordPress plugin "Event Calendar WD" provided by Web-Dorado contains a cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the logged in user's web browser. Solution Update the plugin Update the plugin according to the information provided by the developer...
JVN#34508179: Installer of "Setup file of advance preparation" may insecurely load Dinamic Link Libraries
"Setup file of advance preparation" provided by National Tax Agency is software to setup the environment which is required to use "filing assistance on the NTA website". "Setup file of advance preparation" contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Li...
JVN#80238098: Hands-on Vulnerability Learning Tool "AppGoat" vulnerable to remote code execution
AppGoat provided by INFORMATION-TECHNOLOGY PROMOTION AGENCY, JAPAN IPA is a hands-on vulnerability learning tool. Hands-on Vulnerability Learning Tool "AppGoat" for Web Application contains a remote code execution vulnerability. Impact When accessing a specially crafted URL, arbitrary code may be...
JVN#11326581: Empirical Project Monitor - eXtended vulnerable to cross-site scripting
Empirical Project Monitor - eXtended provided by INFORMATION-TECHNOLOGY PROMOTION AGENCY, JAPAN IPA contains a reflected cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the user's web browser. Solution Do not use Empirical Project Monitor - eXtended The...
JVN#88745657: Cybozu KUNAI for Android information management vulnerability
Cybozu KUNAI for Android is a mobile client software for using Cybozu from an Android device. Cybozu KUNAI for Android provides a function to output log information when synchronizing data with Cybozu, however the function is disabled by default. Cybozu KUNAI for Android contains an issue where i...
JVN#12796388: Nessus vulnerable to cross-site scripting
Nessus contains a stored cross-site scripting CWE-79 vulnerability in handling .nessus files. Impact Arbitrary JavaScript may be executed on the user's web browser. Solution Update the Software Update to the latest version according to the information provided by the developer. Products Affected...
JVN#06726266: Cybozu Office multiple cross-site scripting vulnerabilities
Cybozu Office contains multiple cross-site scripting vulnerabilities below. Cross-site scripting in the "Customapp" function - CVE-2016-4865 Version| Vector| Score ---|---|--- CVSS v3| CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N| Base Score: 4.8 CVSS v2| AV:N/AC:L/Au:S/C:N/I:P/A:N| Base Score:...
JVN#55389065: CS-Cart add-on "Twigmo" vulnerable to PHP object injection
CS-Cart add-on "Twigmo" contains a PHP object injection vulnerability due to a flaw where untrusted input values are unserialized. Impact A remote attacker may execute arbitrary PHP code. Solution Edit twigmo.php This vulnerability can be addressed by deleting or commenting out the following part...
JVN#61317238: ETX-R vulnerable to cross-site request forgery
ETX-R provided by I-O DATA DEVICE, INC. is a wired LAN router. ETX-R contains a cross-site request forgery vulnerability CWE-352. Impact If a user views a malicious page while logged in, unintended operations may be performed. Solution Apply a Workaround The following workarounds may mitigate the...
JVN#74659077: TERASOLUNA Server Framework for Java(WEB) access restriction bypass vulnerability in the file extention filter
The TERASOLUNA Server Framework for JavaWEB provided by NTT Data Corporation is a software framework for creating web applications. The TERASOLUNA Server Framework for JavaWEB has a function to restrict access to contents with specified file extentions from browser requests. This function may be...
JVN#33879831: Cybozu Garoon fails to restrict access permissions
Cybozu Garoon is a groupware. Cybozu Garoon fails to restrict access permissions in the API to retrieve the Address Book information. Impact A user may obtain other user's Address Book information. Solution Update the Software Update to the latest version according to the information provided by...
JVN#53542912: Cybozu Garoon fails to restrict access permissions
Cybozu Garoon is a groupware. Cybozu Garoon fails to restrict access permissions in the mail function. Impact An unintentional image file may be displayed on the mail view. As a result, an attacker may be convinced that the user read the email. Solution Update the Software Update to the latest...
JVN#28480773: WisePoint contains issue in preventing clickjacking attacks
WisePoint contains an issue in the protection against clickjacking attacks on the management screen. Impact If a user views a malicious page while logged in, unintended operations may be conducted. Solution Update the Software Update to the latest version according to the information provided by...
JVN#48720230: Cybozu Office access restriction bypass vulnerability
Cybozu Office contains an access restriction bypass vulnerability in multiple functions. Impact A remote unauthenticated attacker may view the information about the groupware. An authenticated attacker may obtain privileged information or may cause specific functions to become unusable. Solution...
JVN#90135579: SonicWall TotalSecure TZ 100 Series vulnerable to denial-of-service (DoS)
SonicWall TotalSecure TZ 100 Series is a firewall product provided by Dell Inc. SonicWall TotalSecure TZ 100 Series contains a denial-of-service DoS vulnerability. Impact Processing a specially crafted packet may lead to a denial-of-service DoS. Solution Update the firmware Update to the latest...
JVN#13874649: Enisys Gw vulnerable to cross-site scripting
Enisys Gw provided by Techno Project Japan Co. is an open source groupware. Enisys Gw contains a cross-site scripting vulnerability CWE-79. Impact An arbitrary script may be executed on the user's web browser. Solution Update the Software Update to the latest version according to the information...
JVN#08494613: NScripter vulnerable to buffer overflow
NScripter is a script engine to build and execute games. NScripter contains a buffer overflow vulnerability due to a flaw in processing save data. Impact By processing a specially crafted save data, arbitrary code may be executed. Solution For developers using NScripter: Update and Rebuild the Ga...
JVN#12241436: MilkyStep vulnerable to cross-site request forgery
MilkyStep provided by Igreks Inc. is a CGI for e-mail newsletter distribution management. MilkyStep contains a cross-site request forgery vulnerability CWE-352. Impact If a user views a malicious page while logged in, unintended operations may be performed. Solution Update the Software Update to...
JVN#68819526: "Restaurant Karaoke SHIDAX" App for Android fails to verify SSL server certificates
"Restaurant Karaoke SHIDAX" App for Android fails to verify SSL server certificates. Impact A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication. Solution Update the Software Update to the latest version according to the information provided by the developer...
JVN#55063777: Google Captcha (reCAPTCHA) by BestWebSoft vulnerable to CAPTCHA authentication bypass
Google Captcha reCAPTCHA by BestWebSoft is a plugin for WordPress. Google Captcha reCAPTCHA by BestWebSoft contains a CAPTCHA authentication bypass vulnerability CWE-254. Impact If this vulnerability is exploited, an attacker may be able to successfully login to WordPress and access an...
JVN#32631078: Multiple ASUS wireless LAN routers vulnerable to cross-site request forgery
Multiple wireless LAN routers provided by ASUS JAPAN Inc. contain a cross-site request forgery vulnerability. Impact If a user views a malicious page while logged in, unintended operations may be conducted. In addition, when this vulnerability is exploited along with the vulnerability stated in...
JVN#61181790: LinPHA vulnerable to cross-site scripting
LinPHA is a software to manage and host image files on the web. LinPHA contains a cross-site scripting vulnerability. Impact An arbitrary script may be executed on the user's web browser. Solution Do not use LinPHA LinPHA is no longer being developed or maintained, therefore it is recommended to...
JVN#58417930: Huawei E5332 vulnerable to denial-of-service (DoS)
Huawei E5332 provided by Huawei Technologies is a mobile router. Huawei E5332 contain an issue when processing a URL that is extremely long, which may lead to the device to terminate abnormally. Impact An attacker that can send requests to the device may cause the device to become unresponsive...
JVN#50367052: EmFTP may insecurely load executable files
EmFTP contains a flaw when loading files, where an unitended executable file may be loaded when attempting to open a file without an extension. For example, if a text file named "exmaple" without an extension and an executable "example.exe" are in the same directory, attemtping to open the file...